esim
Entrust PKIaaS provides the following certificate profiles for eSIM end-entity users.
esim-delivery-authesim-delivery-bindingesim-delivery-tls-serveresim-discovery-authesim-discovery-tls-server
These profiles support the following features.
- Use cases
- Key usages and certificate policies
- Certificate fields
- Certificate extensions
- Distinguished names
Use cases
All eSIM profiles support the CA Gateway API use case.
Key usages and certificate policies
See below the Key Usage, Extended Key Usage (EKU), and Certificate Policy extension values supported by each eSIM profile.
| Profile | Key Usage | Extended key usage | Certificate policy |
|---|---|---|---|
esim-delivery-auth |
Digital Signature | — | id-rspRole-dp-auth (with OID 2.23.146.1.2.1.4) |
esim-delivery-binding |
Digital Signature | — | id-rspRole-dp-pb (with OID 2.23.146.1.2.1.5) |
esim-delivery-tls-server |
Digital Signature | TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
id-rspRole-dp-tls (with OID 2.23.146.1.2.1.3) |
esim-discovery-auth |
Digital Signature | — | id-rspRole-ds-auth (with OID 2.23.146.1.2.1.7) |
esim-discovery-tls-server |
Digital Signature | TLS server authentication (with OID 1.3.6.1.5.5.7.3.1) |
id-rspRole-ds-tls (with OID 2.23.146.1.2.1.6) |
Certificate fields
All eSIM profiles set the following certificate fields.
| Field | Value |
|---|---|
| Issuer | Customer’s subordinate issuing CA. |
| Subject | No constraint |
| Validity period | Less than or equal to the expiry of the issuing CA. Defaults to 3 years if not specified in the request. |
Certificate extensions
All eSIM profiles set the following certificate extensions.
| Extension | Critical | Value |
|---|---|---|
| AIA | No | Supplied if the customer enables OCSP when creating the CA |
| Authority Key Identifier | No | Matches the subjectKeyIdentifier of the signing certificate |
| Basic Constraints | Yes | cA=True, pathLenConstraint=1 |
| CRL Distribution Points | No | Always present |
| Key Usage | Yes | Certificate Signing, CRL Signing, Digital Signature |
| Subject Alternative Name | No | No constraints |
| Subject Key Identifier | No | «The leftmost 160-bits of the SHA-256 hash of the value of the BIT STRING subjectPublicKey» as described in RFC 7093 section 2 |
Distinguished names
Entrust PKIaaS has no restriction on Distinguished Names (DNs) per certificate profile. All certificate profiles support the following identifiers.
| Alias | OID |
|---|---|
CN, CommonName |
2.5.4.3 |
SN, SurName |
2.5.4.4 |
SERIALNUMBER, DeviceSerialNumber |
2.5.4.5 |
C, Country |
2.5.4.6 |
L, Locality |
2.5.4.7 |
ST, S, State |
2.5.4.8 |
STREET, StreetAddress |
2.5.4.9 |
O, Org, Organization |
2.5.4.10 |
OU, OrganizationalUnit, OrganizationUnit, OrgUnit |
2.5.4.11 |
T, Title |
2.5.4.12 |
BUSINESSCATEGORY |
2.5.4.15 |
POSTALCODE |
2.5.4.17 |
givenName, G |
2.5.4.42 |
I, Initials |
2.5.4.43 |
ORGANIZATIONIDENTIFIER |
2.5.4.97 |
UID |
0.9.2342.19200300.100.1.1 |
DC, DomainComponent |
0.9.2342.19200300.100.1.25 |
Email, E |
1.2.840.113549.1.9.1 |
unstructuredName |
1.2.840.113549.1.9.2 |
unstructuredAddress |
1.2.840.113549.1.9.8 |
JurisdictionOfIncorporationLocalityName |
1.3.6.1.4.1.311.60.2.1.1 |
JurisdictionOfIncorporationStateOrProvinceName |
1.3.6.1.4.1.311.60.2.1.2 |
JurisdictionOfIncorporationCountryName |
1.3.6.1.4.1.311.60.2.1.3 |
TrademarkOfficeName |
1.3.6.1.4.1.53087.1.2 |
TrademarkCountryOrRegionName |
1.3.6.1.4.1.53087.1.3 |
TrademarkRegistration |
1.3.6.1.4.1.53087.1.4 |
LegalEntityIdentifier |
1.3.6.1.4.1.53087.1.5 |
WordMark |
1.3.6.1.4.1.53087.1.6 |
MarkType |
1.3.6.1.4.1.53087.1.13 |
StatuteCountryName |
1.3.6.1.4.1.53087.3.2 |
StatuteStateOrProvinceName |
1.3.6.1.4.1.53087.3.3 |
StatuteLocalityName |
1.3.6.1.4.1.53087.3.4 |
StatuteCitation |
1.3.6.1.4.1.53087.3.5 |
StatuteURL |
1.3.6.1.4.1.53087.3.6 |